A hot potato: Ever since the Associated Press exposed that Google is still tracking users who have turned off Location History on their accounts, the company has come under intense scrutiny. A new study finds that Location History and Web & App Activity are only the tip of the iceberg.

A new study titled “Google Data Collection” published on Tuesday catalogs how much data Google is collecting from users and how it is cobbled together to make a salable product. The analysis was conducted by Vanderbilt University Computer Science Professor Douglas C. Schmidt. While many of his findings are not surprising, they are nonetheless remarkable.

Schmidt’s study reveals that stationary idle Android devices send information to Google servers nearly ten times more often than iPhones communicate with Apple servers. Digital Content Next reports that in a 24-hour period, the Android device sent data to Google 340 times. Location information comprised about 35 percent of the data samples. This finding was conducted with Chrome and Safari running in the background of the respective devices.

Furthermore, much of the supposedly anonymous data is stitched together with personally identifiable information by Google.

“Google has the ability to associate anonymous data collected through passive means with the personal information of the user. Google makes this association largely through advertising technologies, many of which Google controls. Advertising identifiers—which are purportedly “user anonymous” and collect activity data on apps and third-party webpage visits—can get associated with a user’s real Google identity through passing of device-level identification information to Google servers by an Android device.”

All of this data collection can and does happen while the user is not even actively engaged in using the phone. During active periods the data collection increases significantly.

For example, Schmidt reports that the search behemoth can and does associate the “DoubleClick cookie” with users’ Google accounts. This cookie tracks activity on third party websites. If a user were to pull up a Google application, say Gmail, in the same browser that contains the DoubleClick cookie, it could associate that tracking information with the user’s Google account.

Android also frequently uploads location information obtained via WiFi.

“The ubiquity of Wi-Fi hubs has made location tracking quite frequent,” said Schmidt. “For example, during a short 15- minute walk around a residential neighborhood, an Android device sent nine location requests to Google. The request collectively contained ~100 unique BSSIDs of public and private Wi-Fi access points.”

More astonishing is the fact that even if you have WiFi turned off, Android is still tracking you. This is because it continues to scan for available signals. There is an entirely separate setting for WiFi scanning that needs to be disabled before WiFi tracking is entirely turned off.

This less than intuitive method for preventing Google from tracking your location using WiFi is similar to the multi-step process for disabling Location History and Web & App Activity that brought about all this scrutiny in the first place. Lack of transparency and difficulty in opting out is the main complaint, and it seems that it is happening on multiple levels.

Furthermore, Google is capable of determining your activity from the location data that it uploads with a high degree of accuracy. Combining location coordinates at frequent intervals with sensor data from the phone’s accelerometer, the company can conclude whether you are walking, running, riding a bike, driving in a car, or even taking a train. This is evidenced by the snapshot from a Google user location upload below.

A Google spokesperson responding to concerns about the DoubleClick cookie’s utilization in Incognito Mode pointed out that a DC lobbyist group commissioned Schmidt's study and that Schmidt is also a witness for Oracle in their suit against Google.

“So, it's no surprise that it contains wildly misleading information,” the spokesperson said.

Of course, any amount of salt that you should be advised to take with this study can equally be applied to any denials from Google. After all, this is its business model — this is the price that is exacted for offering “free” services.

Nothing is ever truly free. How does Google pay for those virtually unlimited Gmail accounts? Or Google Docs? Or any other “free” service the company provides? The consumer is the product. User’s who don’t want to be tracked and targeted for advertising by Google should simply stop using its services, that includes the Android operating system. For two billion Android users, this is easier said than done.

It is not limited to just Google though. If you are getting something for nothing from anybody, dig deeper — something is being gained by the person or business offering you the free stuff.

Images via Douglas C. Schmidt